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AUDITOR 

GENERAL’S 

MESSAGE 

An  important  responsibility  we  share 
as  public  managers  is  to  compile  and 
report  accurate  and  timely  financial 
infonnation  for  our  individual  agencies, 
as  well  as  for  the  State  as  a whole.  In 
this  past  audit  cycle,  my  Office  encoun- 
tered significant  problems  with  State 
agencies  preparing  inaccurate  or  untime- 
ly GAAP  reports.  This  edition  of  the 
Audit  Advisory  highlights  some  of  the 
problems  encountered  this  past  year  with 
agencies’  financial  statements,  as  well  as 
in  the  reporting  of  financial  infonnation 
to  the  Office  of  the  Comptroller. 
Agencies  need  to  improve  their  reporting 
of  GAAP  infonnation  in  2003. 

State  agencies  need  to  ensure  that  the 
processes  to  collect  and  maintain  com- 
puterized infonnation  are  secure  and  that 
the  infonnation  collected  is  adequately 
safeguarded.  The  Advisory  examines 
ways  to  help  ensure  infonnation  is  prop- 
erly safeguarded  and  discusses  a recently 
enacted  statute  on  infonnation  collected 
over  the  Internet. 

Other  articles  in  this  Advisory  discuss 
Executive  Order  Number  10,  the  recent 
update  to  the  AICPA  Audit  and 
Accounting  Guide,  and  findings  from 
prior  audits  which  may  be  helpftil  in 
avoiding  findings  in  future  years. 

Hopeftilly  you  will  find  the  infonna- 
tion in  this  Audit  Advisory  to  be 
useftil  as  we  work  together  to  serve  the 


September  2003 


During  the  fiscal  year  2002  audits  of 
State  agencies,  significant  problems  were 
experienced  with  financial  reporting  in 
accordance  with  generally  accepted 
accounting  principles  (GAAP).  Fiscal 
year  2002  audits  contained  numerous 
findings  related  to  problems  with  GAAP 
reporting  and  agency  financial  statements. 
These  problems  included: 

• Inaccurate,  incomplete,  and  untimely 
GAAP  fonns; 

• Untimely  completion  of  financial 
statements  and  related  disclosures; 

• Inadequate  infrastmeture  records  and 
financial  reporting; 

• Incomplete  capital  asset  records  and 
financial  reporting; 

• Untimely  and  incomplete  disclosures 
regarding  contingencies  and  commit- 
ments; 

• Inaccurate  revenue  classification;  and 

• Inaccurate  grant  classification. 

These  problems  had  widespread 
impact.  They; 

• Impacted  audit  scheduling  and 
resources; 

• Delayed  the  completion  of  individual 
State  agency  audits; 

• Caused  an  inordinate  number  of  audit 
adjustments  for  agency  and  statewide 
financial  statements; 

• Resulted  in  the  Auditor  General’s 
Office  expending  significant 
resources  on  the  fiscal  year  2002 
statewide  financials  as  well  as  delay- 
ing other  planned  audit  work;  and 

• Significantly  delayed  the  completion 
of  the  State’s  fiscal  year  2002  Basic 
Financial  Statements.  Ultimately, 
without  timely  and  accurate  financial 
statements,  the  ability  of  the  State  to 
borrow  money  may  be  impacted. 


In  the  fiscal  year  2003  audit  cycle, 
the  Office  of  the  Auditor  General  will 
again  give  close  semtiny  to  State  agen- 
cies’ GAAP  fomis  submitted  to  the  State 
Comptroller  to  ensure  that  they  are  time- 
ly, accurate,  complete,  and  readily  trace- 
able to  agency  records.  Another  priority 
will  be  to  ensure  agencies  prepare  time- 
ly, accurate,  and  complete  financial 
statements. 

The  responsibility  for  preparing 
timely  and  accurate  GAAP  fomis  and 
financial  statements  rests  with  State 
agencies  and  the  Office  of  the 
Comptroller.  Agencies  need  to  dedicate 
sufficient  resources  to  these  functions. 
Addressing  the  problems  encountered  in 
the  fiscal  year  2002  audits  may  be 
impacted  because  of 

• The  loss  of  experienced  fiscal  per- 
sonnel due  to  the  early  retirement 
incentive  in  2002;  and 

• Budget  issues  which  may  impact 
agencies’  allocation  of  sufficient 
resources  in  the  financial  reporting 
areas.  However,  with  advance  plan- 
ning, these  factors  can  and  should  be 
addressed. 

The  Office  of  the  Comptroller  plans 
to  make  some  changes  related  to  the  fiscal 
year  2003  financial  reporting.  Such 
changes  may  include: 

• Additional  automation  for  GAAP 
reporting; 

• More  edits  and  checks  built  into  cur- 
rent reporting  systems; 

• More  hands-on  interaction  with  State 
agencies; 

• Increased  focus  on  timely  review  of 
agency  submitted  GAAP  fomis;  and 

• Less  reliance  on  the  post  audit  program 
to  address  financial  reporting  issues. 
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EXECUTIVE  ORDER 
10:CEIANGESTO 
STATE  AGENCIES’ 
INTERNAL  AUDIT 
FUNCTION 

Implementation  of  Executive  Order 
Number  10  insofar  as  it  impacts  the 
Executive  Branch's  internal  audit  func- 
tion is  on-going.  While  the  Auditor 
General  is  neutral  on  the  Executive 
Order,  we  have  been  and  will  continue 
to  be  in  contact  with  the  Department  of 
Central  Management  Services  to  help 
ensure  that  issues  relevant  to  the  exter- 
nal audit  function  are  considered  as 
implementation  of  this  Order  proceeds. 

Not  only  do  internal  auditors  often 
act  as  liaisons  to  our  external  auditors, 
we  also  count  upon  finding  a well- 
developed  internal  control  structure  in 
place  and  operational  when  we  go  to  an 
agency  to  perform  our  external  audit 
work. 

Under  the  Fiscal  Control  and 
Internal  Auditing  Act  (FCIAA),  each 
agency  head  continues  to  be  responsi- 
ble for  maintaining  an  effective  system 
of  internal  control  at  his  or  her  respec- 
tive agency.  Specifically,  FCIAA  pro- 
vides that: 

//  is  the  j)oUcy  oj  this  State  that 
the  chief  executive  officer  of  every 
State  agency  is  responsible  for 
effectively  and  efficiently  inanay,ing 
the  agency  and  estahlishiiii'  and 
maintaining,  an  effective  system  of 
internal  control.  /3d  IfX'S 
10/11)02/ 

In  short,  a strong  internal  audit 
function  is  not  only  rcc|uired  by  law  but 
is  also  an  agency's  best  defense  not 
only  against  external  audit  llndings  but, 
more  importantly,  against  the  waste  of 
taxpayer  dollars  through  inefficient  or 
111 e tfee t i \ e o pe ra t i o n s . 
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REDUCING  THE  NUMBER 
OF  FINDINGS 


One  of  the  primary  puiposes  of  the 
Audit  Advisory  is  to  provide  information 
that  will  allow  State  agency  management 
to  take  actions  to  correct  deficiencies 
before  they  become  audit  llndings.  A 
useful  source  of  such  information  is  audit 
findings  that  occurred  at  other  State 
agencies.  By  reviewing  these  findings, 
agency  management  can  conduct  a self- 
assessment  to  determine  whether  similar 
problems  might  exist  at  their  agency.  If 
such  problems  exist,  then  coiTective 
action  can  be  taken  to  reduce  the  likeli- 
hood of  similar  findings  at  their  agency. 

The  following  are  examples  of  condi- 
tions which  resulted  in  findings  in  tlseal 
year  2()()2  audits  conducted  by  the  Office 
of  the  Auditor  General.  Take  a few  min- 
utes to  determine  whether  your  agency 
might  have  similar  problems  that  need  to 
be  addressed. 

Siihniission  of  G.4.4P  Reports  and 
Financial  Reporting 

• Various  GAAP  forms  were  not  pre- 
pared accurately  or  timely.  No  audit 
trail  was  maintained  to  support  dollar 
amounts  reported  on  GAAP  forms 
submitted  to  the  State  Comptroller. 

For  additional  discussion  of  GAAP 
and  financial  reporting  issues  found 

in  the  fiscal  year  2002  audits,  see  arti- 
cle titled  “Improvements  Needed  in 
Preparation  of  GAAP  Forms  and 
Financial  Statements"  on  page  I of 
this  issue  of  the  Audit  Ad\  isory; 

• No  procedures  were  in  place  to 
ensure  cash  receipts  were  properly 
reconciled  between  agency  and  State 
Comptroller  records;  and 

• Ouarterly  accounts  receivable  reports 
were  incomplete  and  not  reviewed. 

Lse  of  State  I chicles 

• Required  evidence  of  cerlillcation  of 
automobile  liability  insurance  was  not 
obtained  from  employees  authori/ed  to 
operate  a vehicle  for  State  purposes; 

• Personally  assigned  vehicles  were  not 
evaluated  annually  to  tletermiiie 
whether  the  assigtimciit  was  still  justi- 
fiable and  in  the  best  interests  of  the 
State;  and 

• Accident  reports  were  not  submitted 
111  a timely  manner. 


Internal  Auditing 

• Audits  of  major  systems  of  internal 
accounting  and  administrative  con- 
trols were  not  performed  at  least  once 
every  two  years; 

• The  internal  audit  unit  was  not  free 
from  operational  duties;  and 

• The  chief  internal  auditor  did  not 
report  directly  to,  or  have  direct  eom- 
munieation  with,  the  agency  head. 

Teleeoniinnnieations 

• Telecommunications  policies  and  pro- 
cedures were  not  specific  regarding 
the  issuance,  usage,  and  revocation  of 
telephones,  pagers,  and  calling  cards. 

Contractor  or  Provider  Monitoring 

• Few  on-site  audits  of  providers  were 
conducted; 

• Contractors  were  paid  even  though 
required  detailed  timesheets  were  not 
submitted; 

• Payments  were  made  to  contractors 
without  supporting  documentation; 
and 

• Ftiture  fiscal  year  costs  were  prepaid 
using  cuiTcnt  year  appropriations. 

Property  Control  and  Commodities 

• Property  items  were  disposed  of 
before  obtaining  DCMS  appiwal; 

• Disposed  items  were  not  deleted  from 
property  control  records; 

• Property  items  could  not  be  located; 

• Property  items  were  not  tagged; 

• Commodities  sampled  did  not  agree 
to  inventory  records; 

• Donated  assets  were  not  recorded  on 
thiancial  or  property  records;  and 

• No  comprehensive  iin  entory  of 
excess  land  had  been  compiled. 

OVERVIEW  OF 
THE  AUDIT 
PROCESS 

0\  er  the  past  year,  agencies  have  had 
to  make  many  adjustments  due  to  early 
retirements,  budget  cuts,  and  new  leader- 
ship in  the  Stale  of  Illinois.  New 
employees  may  lliid  themsches  faced 
w ith  their  lu  st  audit  by  the  Ofllce  of  the 
.•\udilor  (ieneral  (OAG). 

tCont.  on  p.  3) 


INFORMATION 

SYSTEMS 

REVIEWS 


Computer  Security  Recommendations 

•Establish  a security  administration  function.  A clearly  defined  administration  func- 
tion can  provide  the  necessary  guidance  and  oversight  to  ensure  that  security  objectives 
are  achieved. 

•Develop  computer  security  policies  and  procedures.  Policies  should  outline  the 
basic  security  guidelines  and  identify  the  user’s  responsibility  in  protecting  computer 
resources.  Policies  and  procedures,  whieh  should  be  updated  annually  and  given  to  all 
users,  should  include; 

• Appropriate  uses  of  computer  equipment; 

• General  seeurity  provisions; 

• Routine  backup  of  infomiation  and  off-site  storage  of  backups; 

• System  development  procedures; 

• Vims  protection  measures;  and 

• Individual  responsibility  to  proteet  computer  resources. 

•Establish  a securitv-  awareness  program.  A security  awareness  program  should  be 
developed  to  keep  employees  aware  of  security  issues  via  memoranda,  e-mails,  etc. 

•Establish  securiU'  standards.  Standards  should  be  established  to  help  ensure  computer 
security.  The  following  e.xamples  are  not  intended  to  be  all  inclusive  and  may  not  be 
appropriate  in  all  circumstances,  but  serve  as  general  guidelines  that  provide  State  gov- 
ernment w ith  some  minimum  standards  for  computer  security. 

• Each  user  should  have  an  individual  ID. 

• Passwords  should  be  required,  have  a minimum  length  of  six  characters,  include 
special  characters,  and  be  changed  at  least  every  35  days. 

• The  number  of  times  a user  can  log  into  a system  after  their  password  expires  and 
before  they  change  it  should  be  limited  to  no  more  than  three  attempts. 

• A passw'ord  histoiy  should  be  maintained  to  prohibit  re-use  of  passw  ords. 

• After  five  unsuccessful  attempts  to  enter  a valid  password  for  an  ID,  the  ID  should 
be  revoked. 

• Unless  a user  requires  24  hour  access  to  a computer  system,  time  restrictions  should 
be  set  to  limit  when  he  or  she  can  use  the  system. 

• If  a user  has  no  acti\  ity  on  a system  for  a maximum  of  60  minutes,  the  session 
should  be  deactivated  until  a valid  password  is  entered. 

• Access  to  information  and  resources  should  be  limited  based  on  the  user's  need  and 
job  duties. 


Each  year,  approximately  20  expanded 
scope  Information  Systems  (IS)  reviews 
are  performed  in  conjunction  with  compli- 
ance audits.  The  primary  objective  of  an 
IS  review  is  to  ensure  agency  manage- 
ment has  established  an  appropriate  secu- 
rity structure  and  that  information  assets 
and  resources  are  adequately  protected 
from  unauthorized  or  accidental  disclo- 
sure, modification,  or  destruction.  Some 
areas  that  are  frequently  reviewed  include: 

Security  Administration  - Primai-y  areas 
include  a review  of  security  guidelines,  end 
user  security  awareness,  and  the  assign- 
ment of  security  personnel.  A formal  risk 
assessment  conducted  by  an  agency  is  a 
solid  technique  to  help  establish  a sound 
foundation  for  seeurity  decisions; 

Electronic  Connncrce  - Primary  areas 
include  a review'  of  electronic  transactions 
to  ensure  they  are  secure,  valid,  and  com- 
ply w'ith  applicable  external  requirements. 
Additional  issues  include  procedures  for 
assuring  routine  balancing  of  transactions, 
privacy  provisions,  and  assessments  of  the 
adequacy  of  controls  at  third  party  service 
providers; 

Logical  Access  - Primaiy  areas  include  a 
review'  of  logical  security  parameters  (pass- 
word content,  length,  change  interval,  etc.) 
and  individual  access  rights  to  ensure  they 
align  with  job  responsibilities;  and 


Systems  Development  - Primaiy  areas 
include  a rewiew  to  ensure  that  a suitable 
structured  systems  development  methodolo- 
gy exists  and  is  utilized  to  ensure  that  appli- 


cations are  developed  and'or  modified  in  a 
manner  that  promotes  consistency,  integrity, 
and  security  and  to  ensure  that  applications 
satisfy  management’s  intentions. 


AUDIT  PROCESS 

All  State  agencies  receive  a financial 
and  compliance  audit  at  least  once  every 
two  years.  The  General  Assembly  may 
also  direct  the  Auditor  General  to  con- 
duct a performance  audit  of  your  agency. 

The  following  are  some  key  aspects 
of  the  audit  process: 

• At  the  beginning  of  the  audit  an 
entrance  conference  will  be  held  to 
discuss  the  conduct  of  the  audit;  an 
exit  conference  will  be  held  at  the 
audit’s  conclusion  to  discuss  any  find- 
ings and  recommendations; 

• Auditors  will  likely  request  many  doc- 
uments related  to  the  scope  of  the 
audit,  including  financial  documents. 


(^cont.  fr 0 m pnge  2) 

policy  and  procedures  manuals,  organ- 
izational charts,  infomiation  technology 
system  documentation,  contracts,  and 
grants; 

• From  the  date  an  agency  receives  the 
draft  report,  OAG  rules  allow  agencies 
7 calendar  days  to  request  an  exit  con- 
ference, 14  calendar  days  to  have  the 
exit  conference,  and  21  calendar  days 
to  submit  any  written  comments; 

• The  Legislative  Audit  Commission,  a 
bi-partisan  commission  comprised  of  6 
Senators  and  6 Representatives,  holds 
hearings  on  audits  released  by  the 
Office  of  the  Auditor  General.  At  the 
hearings,  auditors  present  the  main 
results  of  the  audit,  agency  officials 


make  opening  remarks,  and  then  the 
Commission  members  follow  up  on 
the  audit’s  findings;  and 
• Agencies  should  review'  the  prior 
OAG  audit.  Special  attention  should 
be  paid  to  ensure  that  prior  audit  find- 
ings have  been  addressed,  since  any 
uncorrected  prior  findings  will  be 
repeated  in  the  subsequent  audit. 

Should  you  have  questions  about  the 
on-going  audit,  contact  the  assigned 
OAG  audit  manager.  If  you  would  like 
more  information  on  the  Office  of  the 
Auditor  General,  visit  our  Web  site  at: 
http:/Avw'w.  state.il. us/auditor/. 
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AICPA  AUDIT 
AND 

ACCOUNTING 
GUIDE  UPDATED 

In  response  to  the  Governmental 
Accounting  Standards  Board’s  (GASB) 
Statement  No.  34,  the  AICPA  developed 


a new  Audit  and  Accounting  Guide, 
Audits  of  State  and  Local  Governments 
(GASB  34  Edition).  The  GASB  34 
Edition  of  the  Guide  is  effective  for 
audits  of  state  or  local  government’s 
financial  statements  for  the  first  fiscal 
period  ending  after  June  15,  2()03,  in 
which  the  government  does  apply,  or  is 
required  to  apply,  the  provisions  of 
GASB  Statements  34  or  35.  GASB 
Statement  No.  35  amended  Statement  34 


to  require  public  colleges  and  universities 
to  follow  the  requirements  of  GASB  34. 

As  with  prior  editions  of  the  Guide, 
the  GASB  34  Edition  provides  summary 
information  regarding  governmental 
accounting,  practical  audit  considera- 
tions, and  audit  reporting  examples. 

The  Guide  is  available  in  electronic  and 
print  versions  (see  the  AICPA’s  Web  site: 
www.cpa2biz.com). 


AUDITOR  GENERAL’S  OFFICE  RECEIVES  NATIONAL  AWARD 


The  National  Conference  of  State 
Legislatures’  National  Legislative 
Program  Evaluation  Society  (NLPES) 
awarded  the  Auditor  General’s  Office  the 
Certificate  of  Recognition  of  Impact  for 
the  Management  Audit  of  Agency  Use  of 
Internet  User  Tracking  Technology.  The 


award  is  given  annually  by  NLPES  for 
audit  reports  that  demonstrate  significant 
impact  on  public  policy,  such  as  result- 
ing in  program  ' legisla- 
tive changes.  A audit, 

many  State  agenci  .iiied  the 

infonnation  they  collected  over  the 


Internet  and  revised  or  adopted  privacy 
policies.  Legislation  was  also  introduced 
which  addresses  issues  raised  in  the 
management  audit.  In  July  2003,  this 
legislation  was  signed  by  the  Governor 
(see  inset).  The  Office  has  received  this 
award  in  each  of  the  past  five  years. 


State  Agency  Web  Site  Act 

House  Bill  32  created  the  State  Agency  Web  Site  Act.  The  Bill  was  passed  by  the  General  Assembly  in  May  2003  and 
signed  into  law  as  Public  Act  93-01 17  on  July  10,  2003.  The  legislation  addresses  issues  raised  by  the  Auditor  General’s 
Management  Audit  of  Agency  Use  of  Internet  User  Tracking  Technology  released  in  January  2002.  The  Act  contains  require- 
ments as  to  the  types  of  “cookies”  State  agency  Web  sites  can  use.  The  Act  defines  a “cookie”  as  a set  of  computer  data  or 
instructions  placed  on  a consumer’s  computer  by  a Web  site  server  to  collect  or  store  infonnation  about  the  consumer. 

While  the  Act  allows  State  agencies  to  use  transactional  cookies  (typically  infonnation  about  a user  that  is  needed  to  com- 
plete a transaction  but  is  deleted  when  the  user’s  web  browser  is  closed),  it  generally  prohibits  State  agencies  from  using  penna- 
nent  cookies  or  other  invasive  tracking  programs  that  monitor  and  track  Web  site  viewing  habits.  A permanent  cookie  remains 
on  the  user’s  computer  and  is  often  used  to  recognize  the  user  on  subsequent  visits  to  a Web  site.  The  Act  allows  permanent 
cookies  to  be  used  if  they  add  value  to  the  user  that  is  otherwise  not  available,  and  if  the  permanent  cookies  arc  not  used  to 
monitor  and  track  Web  site  viewing  habits  unless  all  types  of  information  collected  and  the  State’s  use  of  that  infonnation  add 
user  value  and  arc  disclosed  through  a comprehensive  online  privacy  statement.  The  Act  also  establishes  an  Internet  Privacy 
Task  Force  which  will  be  responsible  for  exploring  the  technical  and  procedural  changes  that  arc  needed  in  the  State’s  comput- 
ing environment  to  ensure  that  visits  to  State  Web  sites  remain  private.  The  Act  becomes  effective  on  January  1, 2004. 
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